2010/1/21 Ian Hickson <ian@hixie.ch>
> If you're using text/sandboxed-html, you're not targetting legacy UAs, so
> I don't really think that's a problem we need to worry about.
>
Lets say the spec is finalised and a browser supports the new attribute.
Nobody will use it because of the prompts. The majority of web sites aren't
going to redirect legacy browsers and therefore the sandboxed iframe will
fail because legacy browsers will dictate what web designers/developers do.
The difficulty in detecting browsers and the average person's knowledge of
DOM and how to detect features is going add to this mess. By providing a
separate sandboxed src attribute the web developer can choose which items
are sandboxed and then provide a mechanism or fallback url if they don't.
This worked in the past and it can work now examples of this are:-
<script></script>
<noscript>You don't have javascript</noscript>
<object>You don't support this object</object>
By using this principle the web developer can easily provide legacy browsers
with an alternative or a message:-
<iframe sandbox-src="sandoxedcontent.html"
src="browser_unsupported.html"></iframe>